ENFORCEMENT INFORMATION FOR March 25, 2015

PayPal, Inc. Settles Potential Civil Liability for Apparent Violations of Multiple Sanctions Programs: PayPal, Inc. (PayPal), a licensed money services business (MSB) headquartered in San Jose, California, has agreed to remit $7,658,300 to settle its potential civil liability for processing 486 transactions totaling approximately $43,934, in apparent violation of the following sanctions programs administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC): the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. part 544 (WMDPSR); the Iranian Transactions and Sanctions Regulations, 31 C.F.R. part 560 (ITSR) ; the Cuban Assets Control Regulations, 31 C.F.R. part 515 (CACR); the Global Terrorism Sanctions Regulations, 31 C.F.R. part 594 (GTSR); and the Sudanese Sanctions Regulations, 31 C.F.R. part 538 (SSR).

For several years up to and including 2013, PayPal failed to employ adequate screening technology and procedures to identify the potential involvement of U.S. sanctions targets in transactions that PayPal processed. As a result of this failure, PayPal did not screen in-process transactions in order to reject or block prohibited transactions pursuant to applicable U.S. economic sanctions program requirements. Between December 17, 2010 and September 29, 2013, PayPal processed 98 transactions totaling $19,344.89 in apparent violation of the CACR. The total base penalty for this set of apparent violations was $9,672.45. Between September 16, 2009 and October 11, 2013, PayPal processed 125 transactions totaling $8,257.66 in apparent violation of the ITSR. The total base penalty for this set of apparent violations was $4,129. Between November 29, 2009 and May 11, 2013, PayPal processed 94 transactions totaling $5,925.27 in apparent violation of the GTSR. The total base penalty for this set of apparent violations was $2,984.88. Between May 9, 2010 and August 19, 2013, PayPal processed 33 transactions totaling $3,314.43 in apparent violation of the SSR. The total base penalty for this set of apparent violations was $1,657. Each of the transactions giving rise to the apparent violations either contained an explicit reference to a country subject to OFAC sanctions or another term linked to the country (i.e., "Tehran," "Khartoum," "Cuba," "Iran," "Sudan," "Iranian," or "Cuban"), or involved a PayPal account in which the Specially Designated Global Terrorists Interpal or Kahane Chai had an interest.

Separately, between October 20, 2009 and April 1, 2013, PayPal processed 136 transactions totaling $7,091.77 to or from a PayPal account registered to Kursad Zafer Cire, an individual designated by the U.S. State Department on January 12, 2009 pursuant to Executive Order 13382 of June 28, 2005, "Blocking Property of Weapons of Mass Destruction Proliferators and Their Supporters," in apparent violation of the WMDPSR. PayPal stated to OFAC that it failed to identify its customer as a potential Specially Designated National (SDN) at the time of his designation because the MSB’s automated interdiction filter was not "working properly." Starting approximately six months later, PayPal’s automated interdiction filter appropriately flagged Cire’s account five times (on July 30, 2009, September 3, 2009, October 21, 2009, October 24, 2009, and November 16, 2009) for potential matches to the SDN, and on each occasion, separate PayPal Risk Operations Agents dismissed the alerts without requesting additional information to clear the potential SDN name matches. PayPal stated that this conduct did not comply with the MSB’s internal policies and procedures for handling SDN name matches. On February 14, 2013, PayPal’s interdiction filter again flagged Cire’s account for a sixth time due to a potential match to the SDN, and a PayPal Risk Operations Agent followed the MSB’s procedures for handling an SDN name match by creating a "case" for the match, restricting Cire’s account, and requesting additional information from the customer. Upon receiving the requested information, which included a copy of Cire’s passport showing a date of birth and place of birth that were identical to those of the SDN, PayPal’s Risk Operations Agent dismissed the match due to an apparent misunderstanding of why the interdiction filter had flagged Cire’s account for review. On April 3, 2013, PayPal’s interdiction filter flagged Cire’s account for a seventh time, and the MSB appropriately blocked the account and reported it to OFAC. The total base penalty for this set of apparent violations was $17,000,000.

OFAC determined that PayPal voluntarily self-disclosed the apparent violations described above. OFAC also determined that the apparent violations of the ITSR, CACR, GTSR, and SSR constitute a non-egregious case, and that the apparent violations of the WMDPSR constitute an egregious case. The total base penalty amount for all of the apparent violations was $17,018,443.

In determining that PayPal’s apparent violations of the WMDPSR were egregious, OFAC considered the following facts and circumstances: 1) PayPal demonstrated reckless disregard for U.S. economic sanctions requirements when its interdiction software failed to identify Cire as a potential match to the SDN List for approximately six months after Cire’s designation and when, after the software ultimately flagged the accountholder as a potential match to the SDN, employees cleared name matches against Cire’s account on six separate occasions prior to appropriately identifying and blocking the account. The conduct was particularly reckless with respect to those transactions on or after September 3, 2009—the date that a PayPal Risk Operations Agent dismissed the second alert. Additionally: 2) PayPal agents engaged in a pattern of conduct by repeatedly ignoring certain warning signs about potential matches to the SDN List; 3) in the course of this conduct, PayPal provided economic benefit to Cire and undermined the integrity of the WMDPSR and its policy objectives; and 4) multiple PayPal Risk Operations Agents failed to adhere to the MSB’s policies and procedures pertaining to SDN match escalation.

OFAC found the following to be additional aggravating factors in this case: 1) PayPal’s management demonstrated reckless disregard for U.S. economic sanctions requirements in deciding to operate a payment system without implementing appropriate controls to prevent the system from processing transactions in apparent violation of OFAC regulations; 2) PayPal management and supervisors knew of the conduct giving rise to the apparent violations; 3) PayPal’s conduct resulted in harm to U.S. sanctions program objectives, and the MSB provided economic benefit to Cire and undermined the integrity of the WMDPSR by operating an account and processing transactions on behalf of an SDN for approximately three-and-a-half years; and 4) PayPal’s OFAC compliance program was inadequate to prevent the apparent violations.

OFAC found the following to be mitigating factors in this case: 1) PayPal hired new management within its Compliance Division, identified OFAC-related issues with regard to the MSB’s payment system in 2011, and undertook various measures to strengthen PayPal’s OFAC screening processes and measures, including steps to implement more effective controls; 2) PayPal has not received a penalty notice or Finding of Violation in the five years preceding the earliest date of the transactions giving rise to the apparent violations; and 3) PayPal substantially cooperated with OFAC’s investigation, including by submitting the relevant documents and information in a clear and organized fashion, answering numerous follow-up inquiries for information over the course of OFAC’s investigation, and by entering into a statute of limitations tolling agreement.


[1] On October 22, 2012, OFAC changed the title of the Iranian Transactions Regulations to the ITSR, amended the renamed ITSR, and reissued them in their entirety. See 77 Fed. Reg. 64,664 (Oct. 22, 2012). For the sake of clarity, all references herein to the ITSR shall mean the regulations in 31 C.F.R. part 560 in effect at the time of the activity, regardless of whether such activity occurred before or after the regulations were renamed.